[c-nsp] Cisco 2620 and Pix 515E Config help please

Richard Danielli richard.danielli at esubnet.com
Thu Apr 7 16:53:36 EDT 2005 

Bob,

well   for starts turn off NAT
tell your ISP what you are doing ...

and
	ip verify unicast reverse-path
seems a bit redundant on a single path  :)

-rd-


Bob Fronk wrote:
> Good afternoon.
> 
>  
> 
> I am replacing a 2620 that we have been using as our Firewall with a PIX
> 515E.
> 
>  
> 
> I am trying to correctly configure another 2620 as my Internet Router
> which will serve as the CSU/DSU router in front of the PIX. 
> 
>  
> 
> Current setup is (IPs edited for privacy)
> 
>  
> 
> !
> 
> !
> 
> interface Loopback0
> 
>  description Public IP Block
> 
>  ip address 2.2.2.2 255.255.255.224
> 
> !
> 
> interface FastEthernet0/0
> 
>  ip address 192.168.2.1 255.255.255.0
> 
>  no ip redirects
> 
>  no ip unreachables
> 
>  no ip proxy-arp
> 
>  ip accounting access-violations
> 
>  ip nat inside
> 
>  ip inspect Inside in
> 
>  ip tcp adjust-mss 1400
> 
>  duplex auto
> 
>  speed auto
> 
> !
> 
> interface Serial0/0
> 
>  description Sprint PL Internet Access 
> 
>  ip address 1.1.1.1 255.255.255.252
> 
>  ip access-group Firewall in
> 
>  ip verify unicast reverse-path
> 
>  no ip redirects
> 
>  no ip unreachables
> 
>  no ip proxy-arp
> 
>  ip accounting access-violations
> 
>  ip nat outside
> 
>  encapsulation ppp
> 
>  fair-queue
> 
>  no cdp enable
> 
> !
> 
> ip nat inside source interface Serial0/0 overload
> 
> ip nat inside source static 192.168.2.x 2.2.2.3
> 
> ip nat inside source static 192.168.2.x 2.2.2.4
> 
> ip nat inside source static 192.168.2.x 2.2.2.5
> 
> ip nat inside source static 192.168.2.x 2.2.2.6
> 
> ip nat inside source static 192.168.2.x 2.2.2.7
> 
> ip classless
> 
> ip route 0.0.0.0 0.0.0.0 x.x.x.x
> 
>  
> 
> In one of the access lists there are commands to allow traffic to the
> serial and loopback:
> 
>  
> 
> remark Permit any traffic to the outside interface
> 
>  permit ip any host 1.1.1.1
> 
>  remark Allow any traffic to the loopback interface
> 
>  permit ip any host 2.2.2.2
> 
>  
> 
> There is also an access list allowing specific ports on the IPs that
> have the static nat entries.
> 
>  
> 
>  
> 
>  
> 
> What I cannot find documentation on is how to pass the Public IP block
> through to the PIX since the Public IP block is not the same as the
> serial interface IP.  Will I need to nat the public block to addresses
> in the PIX?
> 
>  
> 
> You help for a relative newbie is appreciated.
> 
>  
> 
>  
> 
> Bob 
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Richard Danielli
President, eSubnet

(416) 203-5253
www.eSubnet.com

More information about the cisco-nsp mailing list